Followup on Inquiry about regreSSHion postmortem

Rene Malmgren rene.malmgren at redtoken.ae
Thu Aug 21 08:22:42 AEST 2025 

First its fully ok for you to assume I am acting maliciously. I am a contractor that work defense, I don't make money by telling my customers that the world is a pink and happy place, you don't hire us if you want to gamble with your data.

If the project is up to snuff then it should withstand a stupid user asking stupid questions even with malicious intent.

I totally concur that people make mistakes, especially under duress. The problem is that most people don't plan to make their mistakes. This is when things get interesting.

If you take a look at Heartbleed, you can see by following the paper trail that several crucial actions were taken by the developer that are very much out of the ordinary, and that have no obvious reason other than building up for the "mistake" to happen. There is no sleep deprivation or stress involved when you decide to write a document as an RFC that contains several known hazards and then take 2 of your buddies to review it. And sadly, you see the same pattern here.

Why do you introduce line numbers in error messages, we all know it fucks up the code with macros, this is a very very well known hazard? What extra information do you provide too the user, is this a feature that was requested?
Why do you then decide to rename all of the functions and then move them to the bottom of the file? This is the classical way to fuck up the diff. I recently fixed a few name inconsistencies in bitcoinJ and accidently did autoformat in the editor, that fucked up the diff. They rightfully threw it in my face and told me to redo it. Here its ok.

Then comes the "mistake", I assume that if this this is standard operational procedure that the #ifdef are not in the "OpenBSD" repo, then they need to be manually inserted every time you do this? This must be a known hazard, and one that de Raadt is even proud of. Yet they decide to protect against CVE-2006-5051 with and #ifdef, something that must have been known to the developers back in 2006. This is slopy, and with a total disregard for the safety of the non-OpenBSD users that the OpenBSD project is legendary for, but malicious, no, its laziness combined with apathy.

Note that the function sigdie was crafted specially for this reason, and both djm and deraadt signed off on it.

Is it 100% sure that djm remembered all of this 12 years later? No, the plausible deniability is there, it's not as clear cut as my first assumption. Does it improve the assessment in favor of the project, yes but not much. If the act was malicious then he knew at check-in that he would be able to claim plausible deniability if discovered. And it's a forgone conclusion that people would protect him, and claim Hanlon’s razor, and so on. It's the best software on the planet, an example to others, best track record, jidi jada. And anybody that would raise their voice would be flamed.

On the flip side of the coin is it 100% sure that this was a mistake and not a preplanned malicious act that cleverly used, for the culprit's known information, to spike the private budget by selling the non-OpenBSD users' integrity to somebody? No, we can't say, and no information so far provided seems to be able to answer the question.

So, everybody has to make a decision based on their situation and state of paranoia, how much risk are you willing to accept. In the case of our clients the answer is easy, we can't recommend then to take the risk to have their data sold on the grey market, and OpenSSH is usually front-line software, it needs to be up to snuff.

We were triple checking when djm decided to have the discussion "public", so we are having it public, it's fine.

I know the difference between insanity and stupidity, and in this case sloth.

Not that it matters but until 2024 we used to recommend OpenSSH as one of three pillars of defense for the most demanding deployments for secure development environments. Because our clients demand that they should be able to survive 1-2 00 attacks. Then we saw XZ and we said, that was too close for comfort, and now this.

/Rene


________________________________
From: Hendrik Visage <hvisage at hevis.co.za>
Sent: Wednesday, August 20, 2025 11:42 PM
To: Rene Malmgren <rene.malmgren at redtoken.ae>
Cc: Theo de Raadt <deraadt at openbsd.org>; Stuart Henderson <stu at spacehopper.org>; openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org>
Subject: Re: Followup on Inquiry about regreSSHion postmortem

Okay Rene,

 I’m going to take your own words and philosophy below and make the statement: You are maliciously attacking OpenSSH for your own malicious ideas and greed (the facts at hand at this point in time using your own philosophy below)


Now lets answer it as a person that had been using SSH since like version 1.1.x, before OpenSSH was a twinkle in the developer’s eyes, and not as a project member, just a supporter that likes to stay abreast of things:

On 20 Aug 2025, at 20:40, Rene Malmgren <rene.malmgren at redtoken.ae> wrote:

I make an assessment based on the facts at hand,

You know the folklore about Ronald Opus? check Wikipedia so you obviously have not investigated and double and triple checked stuff before you just make your first and half baked half informed blatantly malicious claims…

Now the trouble when you try to distinguish between malice and insanity is that malice is usually hidden as insanity.

Seems you totally confuse the wording and meaning’s of Hanlon’s Razor. Refer to Wikipedia

My personal rule of thumb is not to attribute to insanity what could be attributed to malice unless other data point in that direction.

Yeah, that is the problem, looking for the devil behind each rock, instead of understanding the problems with humans making mistakes, and your own actions. In fact, the issue at hand (and here your lack of the English vernacular is starting to show) is NOT insanity, but rather “stupidity”… or just plain common human error and oversight. Quite… different from the word insanity :P

So, a programmer that makes a "mistake" that is way below their expected performance and then says oh it was a mistake, well usually you should take a very much closer look.

Nope, I’ve made SEVERAL mistakes as a seasoned sysadmin MANY times… and usually when under pressure or lack of sleep. I owned up to those mistakes, and corrected it and took the rap and put the next thing inplace to try to prevent similar in future… and then pressure caused me to take yet another short cut for time/monetary reasons as pressure by the clients and I made the mistake again.. sorry, 30+years in IT as sysadmin is showing my B.o.F.H. side

So no, I did not assume you had a process that was so hazardous, and that you cared so little for the safety of your non OpenBSD users.

Again you are mistaken, and assigning the wrong faults to the wrong (persons) processes. The “Portable" version is not a first class citizen in OpenBSD, and OpenBSD team I have respect for (I wish I could’ve used it at the same scale and deployments I am using Linux, but that is a financial discussion outside of this one)

That said, I’ll refer you to the Qualsys report on this issue !

Obviously coming from the outside, you have to make assumptions,

No, you first have to LEARN and ASK and UNDERSTAND *before* you make assumptions.. like the saying: To ASSUME, is making an ASS of U and ME. Assumptions in the mother of all wars… and other cluster<french_word>s .. so when you make assumptions, you are already in the wrong and have to understand that

 that is a disadvantage.

No, it is malicious, ie. what is your malicious intent here Rene? you want to show a client to buy something else from you as they went instead of OpenSSH and you want to get back at them? that is the facts I see at hand here Rene.

You are also not colored by loyalty to the project or organization, that is an advantage.

Depends, from an auditors perspective perhaps, but then I’ve had to endure so many audits, and everytime they’ve come back with stuff similar to your “audit” and once they’ve been educated.. the reports suddenly change from the whacking red to more peaceful yellow and green… much like the South African Springboks' Green and Gold… but now I’m digressing late at night.

Now the way you structure your organization does not help.

Does not help your malicious intent (which based on your, that is Rene’s philosophy to assign malice instead of stupidity first), it does however assist the OpenBSD and OpenSSH *official* in their design testing and operations of a security first Operating System. GO install OpenBSD and try find that exact same problems you’ve been complaining about and then come complaining again

It was your collogue that wanted to have a public discussion, so we are having a public discussion. I think it's good because these questions need to be answered (or not answered) so that we know where we stand.

No Rene, you started to maliciously (again, following your own philosophy here) attack the project’s porter of official to portable (for your client’s convenience...) and there by blaming OpenSSH in totality by claiming malice and naming it regreSSHing

Question, if they (your clients) and you are so security conscious Rene, why aren’t you using and advocating OpenBSD to them? Then you would not have had this problem to worry about in the first case!!!

It's generous that you are providing "free" software for us, unfortunately SAFE provided free software for ByBit and that kind of free cost ByBit 1.5 BUSD, and yes SSH is used to protect way more in assets than ByBit has / had.

No, on a bit of a different topic, do you know why your server, when asked about a file that looks very similar to a file a regular diff from your repo, easily posted as a reference in an email.

That was me, a outsider seeing a malicious attacker named Rene Malmgren and trying to educate him in his malice.. eh.. now shown to be an insanely stupid person after evidence presented ;(

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/log.c.diff?ipk=fF83_JCDCKqCJ85QEwn7jbP5Ag2cF3ZCTZ6QbjGp4RE&r1=1.52&r2=1.53&f=h

Redirects your browser via 301 to https://theannoyingsite.com/

don’t know where you get that, unless your own browser is compromised, and I pointed you to the direct source to show you your malice.. apologies you’ve now brainwashed me .. your stupidity/insanity of not investigating and asking the right questions before jumping on the blame game bandwagon…

Is this that standard way of handling discussion regarding security in OpenSSH?

When you assign malice where human error was at fault, you are asking to be ridiculed.

W.r.t. Security: AGAIN GO INSTALL OpenBSD and stay away from anything Linux if you are really valuing your and your clients' security as much as you claim, as Linux, even though it is my bread an butter,  is not as secure as I wanted it to be… but that is a personal point of view and financial decisions as Linux is a business/money maker, and decisions are monetary based not security first, unlike OpenBSD and OpenSSH *official*.

Hendrik Visage

---
Hendrik Visage
Director - HeViS.Co Systems Pty Ltd
T/A  Envisage Cloud Solutions
Mobile: +27-84-612-5345
hvisage at hevis.co.za<mailto:hvisage at hevis.co.za>
hvisage at envisage.co.za<mailto:hvisage at envisage.co.za>
Instant messaging: https://t.me/hvisage


/Rene








________________________________
From: Theo de Raadt <deraadt at openbsd.org>
Sent: Wednesday, August 20, 2025 6:09 PM
To: Rene Malmgren <rene.malmgren at redtoken.ae>
Cc: Stuart Henderson <stu at spacehopper.org>; openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org>
Subject: Re: Followup on Inquiry about regreSSHion postmortem

Rene,

You have already

- decided to not figure out how -portable merges are handled,
- written a long conclusion accusing malice

Now, after that long conclusion you have "questions" ?

I'm pretty sure nothing will change your mind.

Ok I should be clearer here, yes there are merges, but explain to me how a merge conflict would remove the two critical flags. I am not talking about surface here. I am talking about a clear step by step analysis, that shows how the flags got removed.

/Rene
________________________________
From: Stuart Henderson <stu at spacehopper.org>
Sent: Wednesday, August 20, 2025 3:07 PM
To: Rene Malmgren <rene.malmgren at redtoken.ae>
Cc: openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org>
Subject: Re: Followup on Inquiry about regreSSHion postmortem

On 2025/08/20 10:41, Rene Malmgren wrote:
Actually, there is no evidence in the available data that such a merge even has happened

This is simply the way that cross-platform OpenSSH commits are done:

- they are first made to OpenBSD's CVS tree

- then they are later merged to openssh-portable git with an "upstream:
XX" comment and OpenBSD-Commit-ID line (with the RCS ID line synced with
that from the OpenBSD tree in the commit)

there is plenty of evidence of this, and nothing on the surface unusual
about this merge commit compared with others

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


---

Hendrik Visage

hvisage at hevis.co.za

HeViS.Co Systems Pty Ltd

https://www.envisage.co.za

More information about the openssh-unix-dev mailing list